On 08/09/2018 09:34 AM, Matt Caswell wrote:
On 08/08/18 20:49, Robert Moskowitz wrote:
Finally back on working on my EDDSA pki.
Working on beta Fedora29 which now ships with:
OpenSSL 1.1.1-pre8 (beta) FIPS 20 Jun 2018
To recap, there are challenges on hash specification. In creating
certs, I cannot have default_md line in my .cnf file, or at least for it
to = sha256. And in those commands where I had to have -md sha256 with
ecdsa, I have to have -md null. This is compared to those commands that
took -sha256 and now require nothing in the command line about the hash.
So one to crl:
openssl ca -config $dir/openssl-$intermediate.cnf \
-gencrl -out $dir/crl/$crl
Using configuration from /root/ca/intermediate/openssl-intermediate.cnf
Enter pass phrase for /root/ca/intermediate/private/intermediate.key.pem:
variable lookup failed for CA_default::default_md
3069739024:error:0E06D06C:configuration file
routines:NCONF_get_string:no
value:crypto/conf/conf_lib.c:275:group=CA_default name=default_md
In this .cnf file, there is no default_md line.
So I added -md to the command line:
openssl ca -config $dir/openssl-$intermediate.cnf -md null\
-gencrl -out $dir/crl/$crl
And that worked.
Very confusing. It would be preferable if EDDSA related generation just
ignores md values?
I've just created PR 6901 that will hopefully improve things. This
basically ignores any -md or default_md setting if EdDSA is in use.
https://github.com/openssl/openssl/pull/6901
Matt,
Thanks for addressing this. It will keep a lot of questions off the
user list once use of EDDSA becomes 'mainline'.
Please let me know when a beta is out with this change so I can ask the
Fedora team to grab it so I can test it.
It pulls a big caveat section from the eddsa-pki draft I am writing.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
